Date: Wed, 05 Apr 2017 14:29 +0200 From: Nils Beyer <nbe@renzel.net> To: freebsd-net@freebsd.org Subject: Re: [PF] Symmetric routing enforcement, how-to without using "reply-to"... References: <4956261.2DO1X0b8Gd@asbach.renzel.net> <20170405113352.GB20974@zxy.spb.ru>
| previous in thread | raw e-mail | index | archive | help
Slawa Olhovchenkov wrote: > I.e. you can't build rules based on "replays", only on "origins", > source IP address generated packes (as you ipfw fwd rules). okay, let's ditch the word "reply". I meant it so that these packets are generated by a software due to incoming packets. If I try ping -S 8.0.0.1 8.8.8.8 or ping -S 9.0.0.1 8.8.8.8 I always see packets only going out on the default gateway's interface. So, I refine my question to: in what way are these PF rules: ------------------------------------------------------------------------------ pass out on wan1 route-to (wan2 9.0.0.254) from 9.0.0.1 pass out on wan2 route-to (wan1 8.0.0.254) from 8.0.0.1 ------------------------------------------------------------------------------ different to these IPFW rules: ------------------------------------------------------------------------------ ipfw add 65000 fwd 9.0.0.254 all from 9.0.0.1 to any via wan1 ipfw add 65001 fwd 8.0.0.254 all from 8.0.0.1 to any via wan2 ------------------------------------------------------------------------------ ? Regards, Nils
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?>